Server-Side Request Forgery
摘要
Between January and March 2021, a sophisticated threat actor known as HAFNIUM unleashed one of the most devastating supply chain attacks in cybersecurity history. The China-nexus advanced persistent threat (APT) group exploited CVE-2021-26855, a server-side request forgery vulnerability in Microsoft Exchange Server's endpoints. This vulnerability allowed unauthenticated attackers to send arbitrary HTTP requests through the Exchange Server, effectively authenticating as the server itself. Within weeks, over 250,000 Exchange Servers worldwide were compromised, exposing millions of email accounts and providing backdoor access to corporate networks. While Microsoft's security bulletins focused on the Exchange Server architecture, the root cause was a classic SSRF vulnerability. The server's proxy endpoints accepted and forwarded user-controlled parameters without proper validation, enabling attackers to access internal resources and bypass authentication entirely.